luci-app-unblockneteasemusic: rewrite func to add pub_access rule

diff --git a/applications/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic b/applications/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
index 23bba20..049ea46 100755 (executable)
--- a/applications/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
+++ b/applications/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
@@ -11,7 +11,6 @@ STOP=10
 NAME="unblockneteasemusic"
 UPGRADE_CONF="/lib/upgrade/keep.d/$NAME"
 
-IPT_N="iptables -t nat"
 RULES_UC="/usr/share/$NAME/rules/default.uc"
 RULES_NFT="/etc/nftables.d/90-$NAME-rules.nft"
 
@@ -73,21 +72,6 @@ start_service()
        [ "${hijack_ways}" = "use_hosts" ] && { http_port="80"; https_port="443"; }
        append_param "-p" "${http_port}":"${https_port}"
 
-       if is_enabled "config" "pub_access"; then
-               local rule="$(uci show firewall | grep "name='unblockneteasemusic_pub_access'" | awk -F '.' '{ print $2}')"
-               [ -n "${rule}" ] || {
-                       uci -q batch <<-EOF
-                               add firewall rule
-                               set firewall.@rule[-1].name='unblockneteasemusic_pub_access'
-                               set firewall.@rule[-1].proto='tcp'
-                               set firewall.@rule[-1].src='wan'
-                               set firewall.@rule[-1].dest_port='${http_port}-${https_port}'
-                               set firewall.@rule[-1].target='ACCEPT'
-                               commit firewall
-                       EOF
-               }
-       fi
-
        local music_source
        config_get music_source "config" "music_source" "default"
        [ "${music_source}" != "default" ] && append_param -o "${music_source}"
@@ -165,6 +149,11 @@ start_service()
                local tmp="/tmp/$NAME"
                local neteasemusic_addr="$(echo -e "${netease_music_ips}\n${netease_music_ips2}" |sort -u |awk '{print $1}')"
                json_init
+               if is_enabled "config" "pub_access"; then
+                       json_add_int o_pub_access "1"
+               else
+                       json_add_int o_pub_access "0"
+               fi
                json_add_int o_http_port "${http_port}"
                json_add_int o_https_port "${https_port}"
                json_add_string o_acl_http_addr "$acl_http_addr"
@@ -225,14 +214,6 @@ stop_service()
                echo "${self_issue_cert_key}" >> "${UPGRADE_CONF}"
        }
 
-       local rule="$(uci show firewall | grep "name='unblockneteasemusic_pub_access'" | awk -F '.' '{ print $2}')"
-       [ -n "${rule}" ] && {
-               uci -q batch <<-EOF
-                       delete firewall.${rule}
-                       commit firewall
-               EOF
-       }
-
        [ ! -e "$RULES_NFT" ] || rm -f "$RULES_NFT"
        fw4 reload
 

diff --git a/applications/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc b/applications/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
index 8e513f7..79d0d64 100644 (file)
--- a/applications/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
+++ b/applications/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
@@ -2,11 +2,18 @@
 
 let http_port = o_http_port;
 let https_port = o_https_port;
+let pub_access = o_pub_access;
 
 %}
 
+{% if (pub_access == 1): %}
+chain input_wan {
+       tcp dport {{ http_port }}-{{ https_port }} counter accept comment "!fw4: unblockneteasemusic-pub-access"
+}
+{% endif %}
+
 chain netease_cloud_music {
-       type nat hook prerouting priority -1;
+       type nat hook prerouting priority -1; policy accept;
        meta l4proto tcp ip daddr @neteasemusic_ipv4 jump netease_cloud_music_redir;
        meta l4proto tcp ip6 daddr @neteasemusic_ipv6 jump netease_cloud_music_redir;
 }
@@ -21,5 +28,3 @@ chain netease_cloud_music_redir {
        tcp dport 80 counter redirect to :{{ http_port }};
        tcp dport 443 counter redirect to :{{ https_port }};
 }
-
-